Validate Trust Chain

Overview

TRAIN is a trust validation service that evaluates the trustworthiness of Verifiable Credentials (VCs) by checking whether the issuer's Decentralized Identifier (DID) can be traced back to a trusted source—known as a root of trust.

This page explains how TRAIN performs trust validation for credentials issued within the cheqd ecosystem, using Decentralized Trust Chains (DTCs) to verify each step in the chain from the credential issuer to a recognized root authority.

Get started with TRAIN TTV API

Use the TRAIN APIs below to validate your trust chain:

What TRAIN Does

TRAIN's Trust Validator (TTV) validates credentials by:

1. Taking a Verifiable Credential (VC) as input.

2. Identifying the issuer DID from the credential.

3. Following the credential's trust chain, resolving links between DIDs, Verifiable Accreditations, and Trust Anchors.

4. Verifying whether the top-level (root) entity in the chain is a trusted source (e.g., DNS-anchored entity, government body, industry group).

5. Producing a trust assessment (e.g., valid/invalid, verified/unverified) that can be consumed by relying parties.

How TRAIN Uses the cheqd Trust Anchor

Within the cheqd network, Trust Anchors represent root entities that can authorize other issuers via Verifiable Accreditations. These accreditations form Decentralized Trust Chains, which TRAIN evaluates to determine if a credential is trustworthy.

TRAIN integrates the cheqd Trust Anchor model by:

• Recognizing VerifiableAccreditation credentials as establishing authority between entities.

• Resolving these links recursively up the chain until it reaches a root-level DID.

• Checking whether the root DID is associated with a DNS-anchored Trust Anchor using DNSTrustFrameworkPointer entries.

Validation Logic

When TRAIN evaluates a credential issued within cheqd's ecosystem, it performs the following checks:

1. Credential Verification Validates the signature and schema of the input Verifiable Credential.

2. Trust Chain Resolution Follows the termsOfUse field and associated VerifiableAccreditation resources to build the credential’s trust chain.

3. Anchor Resolution Locates the root DID and evaluates whether it has a valid DNSTrustFrameworkPointer or other proof-of-authority reference (e.g., X.509 linkage).

4. Anchor Validation Confirms that the root DID’s association with a domain name is cryptographically anchored using DNS-based proofs (e.g., DNS TXT records or TLSA).

5. Policy Compliance (optional) Validates that the trust chain complies with local or domain-specific policy requirements (e.g., only accept credentials rooted in .gov domains).

TRAIN Trust Validator (TTV) Request Format

The following fields are used when submitting a request to the TRAIN Trustworthiness Validator (TTV). This validator checks whether the issuer of a Verifiable Credential is trustworthy by tracing their accreditations up a trust chain. The fields below are passed as JSON in the request body and instruct TRAIN on how to resolve and validate the issuer's authority and compliance with a defined trust policy.

TRAIN Trust Valdiator (TTV) Response Format

When a trust validation request is submitted, the TRAIN Trust Validator returns a structured JSON response describing the outcome of the trust chain evaluation. This includes the result of DNS anchoring checks (if requested) and the discovered trust framework that governs the credential's validation.

Below is a breakdown of each field returned in the response:

Benefits of Using TRAIN with cheqd

• Decentralized Assurance: No need to trust a single registry—chains of accreditations are independently verifiable.

• DNS Anchoring: Leverages globally resolvable domain infrastructure to provide high-assurance validation.

• Interoperable: Built on open standards like DIDs, VCs, and JSON-LD for compatibility with other ecosystems.

Sequence Diagram for Validation

Below is a sequence diagram showing how a request is fully validated.